Groupon leaks entire Indian user database

Dude where's my .sql?
The entire user database of Groupon's Indian subsidiary was accidentally published to the Internet and indexed by Google.

The database includes the e-mail addresses and clear-text passwords of the site's 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs.

Grzelak used Google to search for SQL database files that were web accessible and contained keywords like "password" and "gmail".

"A few hours and tweaks later, this database came up," he said. "I started scrolling, and scrolling and I couldn't get to the bottom of the file. Then I realised how big it actually was."


Since leaving a security consulting position with Australian information security company Stratsec, Grzelak has been working on a start-up gaming media company with two friends.

As a side project, he created, a website that allows any Internet user to search a database of known-compromised e-mail address and password pairs to see if their password has been compromised.

Grzelak was searching for more compromised accounts to add to the website's database when he stumbled across the Sosasta database.

The database includes leaked or stolen account information from 17 recent high-profile breaches. "There are now... 1.3 million records on the site," he said. "All the LulzSec releases are included as well as data from other high profile incidents such as the Mt. Gox Bitcoin exchange hack and the Gawker breach from a year ago."

Grzelak contacted Risky.Biz after the Sosasta discovery to seek advice on disclosure. This website contacted the CEO of Groupon, Andrew Mason, who called back personally within 24 hours of initial contact.

The database was removed immediately and the company has launched an internal investigation to find out how it wound up publicly accessible in the first place.

Groupon is notifying all its Sosasta users of the incident and is advising them that the passwords they used on the website are now compromised and cannot be relied upon to secure other accounts.

Grzelak, meanwhile, says this type of accidental disclosure is actually quite common. "There are thousands of these databases indexed by Google," he said. "This just happened to be by far the biggest I found."

Groupon's statement is below:

On Friday morning India time (Thursday night Central US time), Groupon was alerted to a security issue potentially affecting subscribers of Sosasta, a website acquired by Groupon in January 2011.

After being alerted to this issue by an information security expert, we corrected the problem immediately. We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible. We will keep our Indian subscribers fully informed as we learn more.

Sosasta runs on its own platform and servers, and is not connected to Groupon sites in other countries.

We are thoroughly reviewing our security procedures for Sosasta and are implementing measures designed to prevent this kind of issue from recurring.

This issue does not affect data from any other country or region.

Groupon takes security and privacy very seriously. Our users' trust is of paramount importance to us and we deeply regret this incident. We will provide more information as soon as possible.

Ed: Some of the search string in the Google search screen capture has been redacted. It brought up more exposed databases...

Click here for the latest Risky Business podcast.